HIGH Published 2026-04-27

driver core DriverMatch UAF

CVE-2026-31688

CVSS 7.8 / 10.0 NVD

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

KernelScan AI6.2MEDIUM

01Description

In the Linux kernel, the following vulnerability has been resolved: driver core: enforce device_lock for driver_match_device() Currently, driver_match_device() is called from three sites. One site (__device_attach_driver) holds device_lock(dev), but the other two (bind_store and __driver_attach) do not. This inconsistency means that bus match() callbacks are not guaranteed to be called with the lock held. Fix this by introducing driver_match_device_locked(), which guarantees holding the device lock using a scoped guard. Replace the unlocked calls in bind_store() and __driver_attach() with this new helper. Also add a lock assertion to driver_match_device() to enforce this guarantee. This consistency also fixes a known race condition. The driver_override implementation relies on the device_lock, so the missing lock led to the use-after-free (UAF) reported in Bugzilla for buses using this field. Stress testing the two newly locked paths for 24 hours with CONFIG_PROVE_LOCKING and CONFIG_LOCKDEP enabled showed no UAF recurrence and no lockdep warnings.

02KernelScan AI Analysis

Engine v0.2.0

Risk summary

A race condition in the Linux kernel driver core allows local attackers with root privileges to trigger a use-after-free vulnerability during device-driver matching operations. This can lead to kernel memory corruption, information disclosure, or system crashes when an attacker concurrently manipulates driver binding and device driver_override state.

Affecteddrivers/base/dd.c (driver core)

Vulnerability analysis

The vulnerability stems from inconsistent locking in driver_match_device() calls across the driver core subsystem. While __device_attach_driver() properly holds device_lock(dev), the bind_store() and __driver_attach() code paths call driver_match_device() without acquiring the lock. This creates a race condition where the driver_override field can be freed while being accessed by bus match() callbacks, leading to a use-after-free. The fix introduces driver_match_device_locked() that uses scoped guards to ensure proper locking and adds lock assertions to prevent future regressions. The attack surface is local-only and requires root privileges, because both the sysfs bind attribute and the driver_override attribute are writable only by root in the default kernel configuration.

03Fix Versions

Branch	Fixed in	Patch commit
mainline	7.0	`dc23806a7c47`